On 01/29/2019 01:19 AM, ObNox wrote:
Hi,
Hi ObNox,
For that to work, I need to make sure every separated component works as expected when configured separately.
Ah, yes. The joys / perils of testing discrete units individually and then start pugging them together like Legos and making sure that things still work.
Now, the trouble really begins :1/ I update the zones files to uncomment the "test" record and update the serial number2/ I update "named.conf" to uncomment the "allow-update" statement using "key-dhcp"3/ "named-checkconf" does not complain so "rndc reload"!Problem : The syslog messages don't show the lines indicating that the zones have been reloaded, here's an extract :… I was expecting the usual messages after a zone change, like previously: …So now, with the new "allow-update" statement, the zones are not reloaded and this is confirmed by "dig" :…The new record "test.domain.tld" is not found and the serial is not the new one!
I'm wondering if you're being bitten by something that got me years ago when I first started messing with dynamic zones that allowed updates.
In short, when dynamic updates are enabled, BIND will make changes to a journal file (which I think is binary). You have to "freeze" and "flush" the zone to be able to make to text file.
So I'm guessing that your change wasn't detected because you transitioned to dynamic updates ~> journal file at the same time (or apparently) before BIND loaded the new zone. Thus the journal ~> BIND was using the old version of the zone file.
I've found that I do most of my zone administration via nsupdate on the DNS server using the local key & socket.
I only go through the "freeze" & "flush", edit, and "thaw" (& "sign" for DNSSEC) cycle when I have more (complex) edits than I want to make via nsupdate. (I've also wrapped nsupdate with rlwrap so that I have some (readline) history and better nsupdate command line editing.)
I've tested dozens of combinations with both "allow-transfer" and "allow-update" by putting them at the "view" level, "options" level, "global" level, etc. and nothing changed.
If BIND did do what I'm thinking, then your edits were functionally lost. (Technically they may still be in the text file.)
So for now I'm lost and I need an expert's PoV to point what I'm doing wrong and/or what I missed!
I'm far from an expert. But hopefully you can benefit from my toe stubbing / razor cuts.
Thank you for any useful clue.
Good luck. -- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
